I have a query for ranger admin account authentication to be done from Openldap server.
-- When i login to ranger UI, it asks for credentials and i put default i.e. admin - admin and its logged me in.
Ranger is integrated with Openldap by updating ldap configs in ranger - config - advanced - common configs, users config and group configs.
Question1: Now if i login back to ranger UI, will it accept Ranger default admin credenatial or it will accept openldap admin credential?
Ranger plugin for any service like hdfs have username/password mentioned which is also by default admin/admin.
After integrating with openldap does the openldap admin password needs to updated in UI of ranger hdfs plugin and under hdfs service - config - ranger-hdfs-plugin properties?
- Vijay Mishra
-- Internal users will work fine even after LDAP integration. 'admin' user is internal user and it should work fine.
-- LDAP users are considered external users from Ranger perspective and Ranger UI should show them as external.
-- LDAP users should use the LDAP password to login to Ranger.
-- No need to update any plugin properties.
-- In kerberos env, plugins use keytabs for downloading policies from ranger. For resource lookup, rangerlookup keytab is used.
Thnkx for thr reply.
Query on question1:
So post ldap integration even ldap have user admin in it, but while login on ranger UI user admin will get authenticated by Ranger DB not by openldap, rt ?
Query on Question2:
a. No kerberos:
All plugins repo have username/password defined which is admin/admin, so post ldap integration plugin repo will get authenticated by Ranger DB or openldap?
b. With kerberos:
Do i need to create separate/single principal/keytab for all plugin repo of Ranger like hdfs,hbase,kafka,yarn,etc?
- Vijay Mishra
Internal users will be authenticated via Ranger password while LDAP users will be authenticated by LDAP password. If you want to designate LDAP user as a "ranger admin" user, you need to change their role within Ranger UI.
With kerberos, Ambari will generate all required keytabs. User name/password defined in repo is used only for lookup (ranger uses this information to talk to the actual service - so no LDAP or ranger authentication here), so it needs to be configured as required.
Hope this helps.